By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

can gauge the seriousness of updates.

The software giant repaired two Flash Player
vulnerabilities that could be used by attackers to execute malicious code or cause a denial-of-service
condition. One of the errors could be used by attackers to obtain sensitive information via
unspecified vectors, Adobe said. The update, issued Monday, affects users of Flash Player
running on Windows, Macintosh, Linux and Solaris, as well as Flash Player for Google Android
devices.

Adobe said it is not aware of any exploits in the wild attempting to target either
vulnerability. Danish vulnerability clearinghouse Secunia issued a Flash Player advisory, giving the update a “highly
critical” rating. Secunia said the issues stem from Flash Player’s Matrix3D engine, which is
designed to position and orient a three-dimensional (3D) display object.

Adobe’s Brad Arkin on security research, vulnerability
management

The Flash Player update is the first one using the Adobe Priority Rating
System. The critical update issued this week was given a “Priority 2” rating, meaning there are
currently no known exploits in the wild and Adobe does not anticipate any imminent exploits
targeting the flaws.

In a blog post about the new rating system, David Lenoe, group manager of the Adobe Product
Security Incident Response Team (PSIRT), said the priority ratings give patching admins a better
way to prioritize patch testing and deployment processes.

“All critical security updates are not created equal,” Lenoe wrote. “For example, if a Flash
Player issue is being exploited in the wild, the update to resolve the vulnerability deserves a
much higher priority than, say, a patch for a critical vulnerability in Photoshop.”

Vulnerabilities being targeted in the wild will be given “Priority 1” rating, meaning
administrators should install the update within 72 hours or as soon as possible. A “Priority 3”
rating is for updates that are optional because historically the software has not been a target for
attackers.

“We’re going to base our priority ranking on historical attack patterns for the relevant
product, the type of vulnerability, the platform(s) affected, and any potential mitigations that
may be in place,” Lenoe said. “This is a new system, so we may find that adjustments will need to
be made.”

Adobe introduced Mozilla Firefox support for its Flash
Player protected mode feature last month. The company has been engineering a sandbox
environment for the browser component. The protected mode, also available in Google Chrome,
isolates Flash Player from critical processes, making it more difficult for attackers to break out
of the Flash component into a victim’s system.

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.